CVE Catalog

CVE-2026-2880

Critical
Published: Translated: NVD NIST

Summary

A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware. When Fastify router normalization options are enabled, crafted request paths may bypass middleware checks.

Risk Assessment

Organizations may be exposed to unauthorized access to protected resources, potentially leading to serious security breaches.

Recommendation

It is recommended to upgrade @fastify/middie to version 9.2.0 or later to mitigate this vulnerability.

Original NVD description (English source)

A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS